Adi Sharabani, manager of our own IBM Rational Security Group, gave a keynote presentation on the subject of Active Man in the Middle attacks at the recent OWASP AU conference that was held yesterday.
With an Active MitM attack targeting Web Applications, an attacker can steal users' private data for any site he chooses if his victim uses a public network to read the latest news headlines or weather report on an 'uninteresting' site. In addition, the attack could also be made persistent, even after the victim has left the MitM influence. These attacks are a product of a serious design flaw and not an implementation error or bug.
Although MitM attacks against Web Applications have been partially discussed before with similar issues such as "SideJacking" and "Surf Jacking", a comprehensive full research has yet to have been performed.
The presentation attached gives an overview of the subject while the paper gives thorough in-depth description of this dangerous category of attacks and proposed remedies.
You can download the presentation in PPT format here, or download the full version of the whitepaper as PDF here.
